home.social

#jsonwebtoken — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #jsonwebtoken, aggregated by home.social.

  1. JWT-Authentifizierung umgehbar: Sicherheitslücke im OpenID Connect Authenticator für Apache Tomcat

    Im Rahmen eines Kundenprojekts haben IT-Sicherheitsexperten von ERNW Research eine Schwachstelle in der Bibliothek OpenID Connect Authenticator für Apache Tomcat identifiziert, die es erlaubt, die JWT-basierte Authentifizierung durch gezielt manipulierte, unsignierte Tokens zu umgehen.

    all-about-security.de/jwt-auth
    authenticator-fuer-apache-tomcat/

    #jwt #JSONWebToken #apache #apachetomcat #token

  2. I implemented support for RSA-PSS padding in my #JsonWebToken crate today. I feel no closer to understanding crypto at all.

  3. Ding, dong, the CVE is dead! :partyparrot:

    The JWT nodejs "vulnerability" from December, popularised at the start of January, has been recognised as a non-issue 🫥

    I'm really glad to see it gone. Hoping we get a rash of news stories to follow up on the torrent 🌊 that followed the Unit 42 blog...

    I'm not sure if its removal was down to me raising an issue on the GitHub Advisory Database :omya_github: to ask for it to be removed.

  4. Online la seconda puntata del 2023 di #NINAsec !

    Si parla degli impatti di #JsonWebToken e della sua vulnerabilità, poi di #infostealers che stanno agitando le loro campagne malevole anche in Italia ⤵️

    buttondown.email/ninasec/archi

  5. I see reports about a #JsonWebToken vulnerability (CVE-2022-23529), claiming that RCE is possible. Maybe I’m the one missing something here, but how could this possibly be exploited? Is that even a valid vulnerability report?

    In order to exploit the vulnerability, someone needs to define a malicious toString function on the key object. Well, if they can do that – why do they need the library to call the function, can’t they do it themselves? They need to run JavaScript code on the server in order to create that function, meaning that the prerequisite for RCE is… 🥁​ RCE!

    There seems to be the assumption here that this key object can somehow be serialized along with the function, and then the library will deserialize it from some manipulated storage. But JSON doesn’t serialize function code, and neither does any other serialization format that JavaScript code might use.

    Seriously, how is that going around in the news without anybody asking: is there a single realistic scenario where this CVSS score 7.6 (as assigned by the reporter) vulnerability could be abused?

  6. #jsonwebtoken High Severity Security #Vulnerability Found in "jsonwebtoken" #NPM Library (CVE-2022-23529). Attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted #JWT request. Update jsonwebtoken package to v9.0.0: thehackernews.com/2023/01/crit

  7. JSON Web Token (JSON Web Encryption) Authentication with Kirby CMS 3 - In yet another recent project, I’m building a book proposal submission... blog.mhgbrown.is/posts/8b72bbd #Dev #Kirby3 #Authentification #JSONWebToken by @[email protected]